Use ignore-scripts to guard against supply-chain attacks (#4045)

Author: imnasnainaec

.dockerignore

@@ -3,6 +3,7 @@
 
 # Except the following.
 !.env
+!.npmrc
 !.parcelrc
 !dev-requirements.txt
 !docs/user_guide

.github/workflows/frontend.yml

@@ -19,6 +19,8 @@ permissions: # added using https://github.com/step-security/secure-workflows
 jobs:
   lint_build:
     runs-on: ubuntu-latest
+    env:
+      npm_config_ignore_scripts: true
     strategy:
       matrix:
         node-version: [22]
@@ -41,13 +43,19 @@ jobs:
         uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: ${{ matrix.node-version }}
-      - run: npm ci
-      - run: npm run fmt-frontend-check
-      - run: npm run lint
-      - run: npm run build
+      - name: Install dependencies
+        run: npm ci --ignore-scripts
+      - name: Format-check frontend
+        run: npm run fmt-frontend-check
+      - name: Lint frontend
+        run: npm run lint
+      - name: Build frontend
+        run: npm run build
 
   test_coverage:
     runs-on: ubuntu-latest
+    env:
+      npm_config_ignore_scripts: true
     strategy:
       matrix:
         node-version: [22]
@@ -70,7 +78,8 @@ jobs:
         uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: ${{ matrix.node-version }}
-      - run: npm ci
+      - name: Install dependencies
+        run: npm ci --ignore-scripts
       - name: Run tests and generate coverage
         run: npm run test-frontend:coverage
         env:

.npmrc

@@ -0,0 +1 @@
+ignore-scripts=true

Dockerfile

@@ -28,8 +28,9 @@ FROM node:22.21.1-bookworm-slim@sha256:4de72fb3998934a953f1bee37f0e0254b27c53520
 WORKDIR /app
 
 # Install app dependencies.
+COPY .npmrc ./
 COPY package*.json ./
-RUN npm ci
+RUN npm ci --ignore-scripts
 
 # Build application.
 COPY . ./